Local Firewall Rules (iptables/nftables)
Location
/etc/iptables/rules.v4, /etc/sysconfig/iptables, /etc/nftables.conf, or runtime via iptables-save/nft list rulesetDescription
Host-based firewall rulesets defining allowed and blocked network traffic. iptables (legacy) and nftables (modern replacement) rules control inbound and outbound connections, NAT, and packet manipulation at the kernel level.
Forensic Value
Firewall rule analysis reveals attacker modifications to open backdoor ports, permit C2 traffic, or block security tool communications. Comparing running rules (iptables-save) against persistent configuration files detects runtime-only modifications that disappear on reboot. Rules allowing inbound connections on non-standard ports indicate backdoor listeners. NAT rules may reveal traffic tunneling or port forwarding set up for pivoting. An empty or disabled firewall on a production server that should have rules is itself an indicator of tampering.